The device-mode is a feature which sets specific limitations on a device, or limits access to specific configuration options. Such feature is required in order to protect your router and network from attackers who might in some way gain access to your router and use it as a gateway for attacks to other networks. By protecting your device in such a way, even if an attacker manages to gain access to your unprotected device, he will not be able to use it in order to abuse your or any other network.

There are three available modes: advanced, home and basic. Device modes are factory pre-installed to routers, if the router is manufactured and shipped with MikroTik RouterOS v7.17 or later. Advanced (previously called enterprise) mode is assigned to CCR and 1100 series devices, home mode is assigned to home routers and basic mode to any other type of device. For devices running versions prior to RouterOS version 7.17, all devices use the advanced/enterprise mode. 

[admin@MikroTik] > system/device-mode/print 
                 mode: advanced     
     allowed-versions: 7.13+,6.49.8+
              flagged: no           
     flagging-enabled: yes          
            scheduler: yes          
                socks: yes          
                fetch: yes          
                 pptp: yes          
                 l2tp: yes          
       bandwidth-test: yes          
          traffic-gen: no           
              sniffer: yes          
                ipsec: yes          
                romon: yes          
                proxy: yes          
              hotspot: yes          
                  smb: yes          
                email: yes          
             zerotier: yes          
            container: no           
  install-any-version: no           
           partitions: no           
          routerboard: yes          
        attempt-count: 0   

The device-mode can be changed by the user, but remote access to the device is not enough to change it. After changing the device-mode, you need to confirm it, by pressing a button on the device itself, or perform a "cold reboot" - that is, unplug the power. When the change is confirmed, regardless of confirmation mode, the device will be rebooted

[admin@MikroTik] > system/device-mode/update mode=home 
  update: please activate by turning power off or pressing reset or mode button 
          in 5m00s
-- [Q quit|D dump|C-z pause]

If no power off or button press is performed within the specified time, the mode change is canceled. If another update command is run in parallel, both will be canceled. 

There are several EOL products which do not "confirm" mode changes with a reset button press. These routers can confirm mode change only with a power cycle.

In order to protect your device against attacker who might silently gain access to your router, abuse it with some scripts and simply try to wait until you will reboot your router and not even know that at that time you are accepting changes requested by some intruder, you can "update" mode only three times. There is a counter which will count how many update attempts are made and will not allow any more updates. This counter can be reset only when administrator does power-cycle the router or press a button when seeing such a warning on mode settings update attempt (same as with accepting any updates).

[admin@MikroTik] > system/device-mode/update container=yes 
  update: too many unsuccessful attempts, turn off power or reboot by pressing reset or mode button in 4m55s to reset attempt-count

The following commands are available in the /system/device-mode menu: 

PropertyDescription

get

Returns value that you can assign to variable or print on the screen.

printShows the active mode and its properties.
updateApplies changes to the specified properties, see below. 

Available device-mode modes

There are three device modes available for configuration (mode=advanced is default one), each mode has a subset of features that are not allowed when it is used. Note that there is no mode, which has all features enabled. Certain features need to be enabled even if you have "advanced" mode enabled. See section "Feature clarification" for more details about what each option means. So, as per the below table it can be seen that "traffic-gen, container, partitions, routerboard" features are always disabled, unless specifically enabled by the admin user. 

ModeDescription of disabled features
advanced (default)traffic-gen, container, install-any-version, partitions, routerboard
basic

socks, bandwidth-test, traffic-gen, proxy, hotspot, zerotier, container, install-any-version, partitions, routerboard

homescheduler, socks, fetch, bandwidth-test, traffic-gen, sniffer, romon, proxy, hotspot, email, zerotier, container, install-any-version, partitions, routerboard

List of available properties

Property

Description

scheduler, socks, fetch, pptp, l2tp, bandwidth-test, traffic-gen, sniffer, ipsec, romon, proxy, hotspot, smb, email, zerotier, container, install-any-version, partitions, routerboard  (yes | no)The list of available features, which can be controlled with the device-mode option. See section "Feature clarification" for more details about what each option means. 
activation-timeout (default: 5m);The reset button or power off activation timeout can be set in range 00:00:10 .. 1d00:00:00. If the reset button is not pressed (or cold reboot is not performed) during this interval, the update will be canceled. 
flagging-enabled (yes | no; Default: yes)Enable or disable the flagged status. See below for a detailed description.
flagged (yes | no; Default: no)RouterOS employs various mechanisms to detect tampering with it's system files. If the system has detected unauthorized access to RouterOS, the status "flagged" is set to yes. If "flagged" is set to yes, for your safety, certain limitations are put in place. See below chapter for more information. 
mode: (basic, home, advanced; default: advanced);Allows choosing from available modes that will limit device functionality.

By default, advanced mode allows options except traffic-gen, container, partitions, install-any-version, routerboard. So to use these features, you will need to turn it on by performing a device-mode update. 

By default, home mode disables the following features: scheduler, socks, fetch, bandwidth-test, traffic-gen, sniffer, romon, proxy, hotspot, email, zerotier, container, install-any-version, partitions, routerboard.

More specific control over the available features is possible. Each of the features controlled by device-mode can be specifically turned on or off. 

For instance scheduler won't allow to perform any action at system scheduler. Used device-mode disables all listed features, for instance  mode=home is used, but zerotier is required for your setup, device-mode update /system device-mode update zerotier=yes will be required with the physical access to device to push the button or cut the power.

 

[admin@MikroTik] > system/device-mode/update mode=home email=yes
[admin@MikroTik] > system/device-mode/update mode=advanced zerotier=no

If the update command specifies any of the mode parameters, this update replaces the entire device-mode configuration. In this case, all "per-feature" settings will be lost, except those specified with this command. For instance:

[admin@MikroTik] > system/device-mode/update mode=home email=yes fetch=yes
[admin@MikroTik] > system/device-mode/print config
   mode: home
  fetch: yes
  email: yes
[admin@MikroTik] > system/device-mode/update mode=advanced sniffer=no
-- reboot --
[admin@MikroTik] > system/device-mode/print config
     mode: advanced
  sniffer: no

We see that fetch = yes and email = yes is missing, as they were overriden with the mode change. However, specifying only "per-feature" settings will change only those:

[admin@MikroTik] > system/device-mode/update hotspot=no
-- reboot --
[admin@MikroTik] > system/device-mode/print config
     mode: advanced
  sniffer: no
  hotspot: no

If the feature is disabled, an error message is displayed for interactive commands:

[admin@MikroTik] > system/device-mode/print config
     mode: advanced
  sniffer: no
  hotspot: no
[admin@MikroTik] > tool/sniffer/quick 
failure: not allowed by device-mode

However, it is possible to add the configuration to a disabled feature, but there will be a comment showing the disabled feature in the device-mode:

[admin@MikroTik] > ip hotspot/add interface=ether1 
[admin@MikroTik] > ip hotspot/print 
Flags: X, S - HTTPS
Columns: NAME, INTERFACE, PROFILE, IDLE-TIMEOUT
#   NAME      INTERFACE  PROFILE  IDLE-TIMEOUT
;;; inactivated, not allowed by device-mode
0 X hotspot1  ether1     default  5m          

Feature clarification 

FeatureClarification of which menus become unavailable
bandwidth-test

/tool bandwidth-test
/tool bandwidth-server

/tool speed-test

routerboard/system routerboard settings (except auto-upgrade option)
containerall container functionality

install-any-version

RouterOS will no longer allow for you to install RouterOS version below versions listed under "allowed-versions" attribute.

email/tool e-mail 
fetch/tool fetch
hotspot/ip hotspot
ipsec/ip ipsec
l2tp

/interface l2tp-server

/interface l2tp-client

partitions

/partitions 

does not allow to change count of partitions. If your router is unable to boot, it will still be able to boot into your other partitions. No restriction for crash recovery.

pptp

/interface pptp-server

/interface pptp-client

proxy/ip proxy
romon/tool romon
scheduler/system scheduler
smb/ip smb
sniffer/tool sniffer
socks/ip socks
traffic-gen

/tool traffic-generator

/tool flood-ping

/tool ping-speed

zerotier/zerotier

Allowed versions

Device mode lists in its parameters an argument called "allowed-versions". This is a list of versions which MikroTik considers as secure and which ones do not include any serious vulnerabilities which could be used by an attacker. This list can be updated to versions which includes some major changes in RouterOS below which downgrade should not be allowed.

This setting does not depend on the installed RouterOS version and works as a separate mechanism, in order to disallow attacker to downgrade version step-by-step in order to reach some vulnerable RouterOS release. This means that if you upgrade RouterOS to a release where a newer "allowed-versions" list is available, oldest list will be overwritten. If you downgrade RouterOS, "allowed-versions" list will not change and will remain updated to the latest list.

This list is ignored, if device-mode "install-any-version" is enabled.

Flagged status

Along with the device-mode feature, RouterOS now can analyze the whole configuration at system startup, to determine if there are any signs of unauthorized access to your router. If suspicious configuration is detected, the suspicious configuration will be disabled and the flagged parameter will be set to "yes". The device has now a Flagged state and enforces certain limitations. 

[admin@MikroTik] > system/device-mode/print 
     mode: advanced
  flagged: yes
  sniffer: no
  hotspot: no

If the system has this flagged status, the current configuration works, but it is not possible to perform the following actions: 

bandwidth-test, traffic-generator, sniffer, as well as configuration actions that enable or create new configuration entries (it will still be possible to disable or delete them) for the following programs: system scheduler, SOCKS proxy, pptp, l2tp, ipsec, proxy, smb.

When performing the aforementioned actions while the router has the flagged state, you will receive an error message:

[admin@MikroTik] > /tool sniffer/quick 
failure: configuration flagged, check all router configuration for unauthorized changes and update device-mode
[admin@MikroTik] > /int l2tp-client/add connect-to=1.1.1.1 user=user
failure: configuration flagged, check all router configuration for unauthorized changes and update device-mode

To exit the flagged state, you must perform the command "/system/device-mode/update flagged=no". The system will ask to either press a button, or issue a hard reboot (cut power physically or do a hard reboot of the virtual machine). 

Important! Although the system has disabled any malicious looking rules, which triggered the flagged state, it is crucial to inspect all of your configuration for other unknown things, before exiting the flagged state. If your system has been flagged, assume that your system has been compromised and do a full audit of all settings before re-enabling the system for use. After completing the audit, change all the system passwords and upgrade to the latest RouterOS version. 


  • No labels